Data localisation is not enough

The Justice Srikrishna Committee in its report accompanying the draft Personal Data Protection Bill released on July 27 notes that eight of the top 10 most accessed websites in India are owned by U.S. entities.

This reality has often hindered Indian law enforcement agencies when investigating routine crimes or crimes with a cyber element.

The committee seeks to correct this.

The Bill calls for a copy of user data to be mandatorily localised in India, believing that it will “boost” law enforcement efforts to access data necessary for investigation and prosecution of crimes.

A fundamental error:

A fundamental error that the Srikrishna Committee seems to have made is in its belief that the location of data should determine who has access to it

The reason that Indian law enforcement relies on an outdated Mutual Legal Assistance Treaty (MLAT) process to obtain data stored by U.S. companies is because the U.S. law effectively bars these companies from disclosing user data to foreign law enforcement authorities

Technology companies are allowed to share data such as content of an email or message only upon receiving a federal warrant from U.S. authorities

This scenario will not change even after technology companies relocate Indian data to India

Mandates local storage of data:

The draft bill mandates local storage of data relating to Indian citizens only

Localisation can provide data only for crimes that have been committed in India, where both the perpetrator and victim are situated in India

Prevalent concerns around transnational terrorism, cyber crimes and money laundering will often involve individuals and accounts that are not Indian, and therefore will not be stored in India

For investigations into such crimes, Indian law enforcement will have to continue relying on cooperative models like the MLAT process

Location the sole measure:

Questions around whether access to data is determined by the location of the user, location of data or the place of incorporation of the service provider have become central considerations for governments seeking to solve the cross-border data sharing conundrum

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed by the U.S. Congress earlier this year, seeks to de-monopolise control over data from U.S. authorities

The law will for the first time allow tech companies to share data directly with certain foreign governments

This requires an executive agreement between the U.S. and the foreign country certifying that the state has robust privacy protections and respect for due process and the rule of law

The CLOUD Act creates a potential mechanism through with countries such as India can request data not just for crimes committed within their borders but also for transnational crimes involving their state interests

Conclusion:

With the highest number of users of American technology offerings and a high number of user data requests, second only to the U.S., India is a clear contender for a partnership under the CLOUD Act. If New Delhi recognises this opportunity and reforms laws around government access to data, both the Indian user and law enforcement will be better served in the long run.